topic Re: Panorama pushed zone not applied to subinterface in General Topicshttps://live.paloaltonetworks.com/t5/general-topics/panorama-pushed-zone-not-applied-to-subinterface/m-p/269797#M74661
<P>My issue was L3 Interfaces, sub-Interface and now Tunnel interface</P>Thu, 13 Jun 2019 22:02:51 GMTITDT_IPCO2019-06-13T22:02:51ZPanorama pushed zone not applied to subinterfacehttps://live.paloaltonetworks.com/t5/general-topics/panorama-pushed-zone-not-applied-to-subinterface/m-p/269381#M74615
<P>Its a new firewall, with 2 interfaces in AE, zone configured and pushed through panorama template.</P><P>When configuring L3 sub-interface for this AE interface, i can configure ip, vr but the security zone would not get applied to it.</P><P>Both firewall and panorama at 8.1.8</P>Wed, 12 Jun 2019 21:54:18 GMThttps://live.paloaltonetworks.com/t5/general-topics/panorama-pushed-zone-not-applied-to-subinterface/m-p/269381#M74615raji_toor2019-06-12T21:54:18ZRe: Panorama pushed zone not applied to subinterfacehttps://live.paloaltonetworks.com/t5/general-topics/panorama-pushed-zone-not-applied-to-subinterface/m-p/269795#M74660
<P>Same issue, Panorama 8.1.8 firewall is running 8.0.18</P>Thu, 13 Jun 2019 21:59:11 GMThttps://live.paloaltonetworks.com/t5/general-topics/panorama-pushed-zone-not-applied-to-subinterface/m-p/269795#M74660ITDT_IPCO2019-06-13T21:59:11ZRe: Panorama pushed zone not applied to subinterfacehttps://live.paloaltonetworks.com/t5/general-topics/panorama-pushed-zone-not-applied-to-subinterface/m-p/269797#M74661
<P>My issue was L3 Interfaces, sub-Interface and now Tunnel interface</P>Thu, 13 Jun 2019 22:02:51 GMThttps://live.paloaltonetworks.com/t5/general-topics/panorama-pushed-zone-not-applied-to-subinterface/m-p/269797#M74661ITDT_IPCO2019-06-13T22:02:51ZRe: Panorama pushed zone not applied to subinterfacehttps://live.paloaltonetworks.com/t5/general-topics/panorama-pushed-zone-not-applied-to-subinterface/m-p/270044#M74683
<P>We just had simular issue.</P><P>&nbsp;</P><P>This is related to the bug that was though to be address in 8.1.7, but it resurfaced in 8.1.8.</P><P>&nbsp;</P><P>Here is support's response.</P><P>&nbsp;</P><P>"...</P><P>&nbsp;</P><P>As discussed, it looks like a bug in JIRA (PAN-118603 duplicated with PAN-119175) in PAN-OS 8.1.8 where Partial local commit on Panorama is not applying changes to shared address groups. In this case we tested and this bug also applied to the security zone in network tab.<BR /><BR />Workaround is do a "Commit All Changes" to the panorama and then push to devices.<BR /><BR />Note: The report showed the issue is not visible in PAN-OS 8.1.7, but issue is visible in PAN-OS 8.1.8.<BR /><BR />Our engineering team is still working on the fix for that issue.<BR />It may get fixed in PAN-OS 8.1.9.</P><P>&nbsp;</P><P>..."</P>Fri, 14 Jun 2019 14:42:57 GMThttps://live.paloaltonetworks.com/t5/general-topics/panorama-pushed-zone-not-applied-to-subinterface/m-p/270044#M74683Neil_Xu2019-06-14T14:42:57ZRe: Panorama pushed zone not applied to subinterfacehttps://live.paloaltonetworks.com/t5/general-topics/panorama-pushed-zone-not-applied-to-subinterface/m-p/270277#M74706
<BLOCKQUOTE><HR /><LI-USER uid="56500"></LI-USER>&nbsp;wrote:<BR /><P>Workaround is do a "Commit All Changes" to the panorama and then push to devices.</P><HR /></BLOCKQUOTE><P><LI-USER uid="56500"></LI-USER>&nbsp;does this workaround work for you? In my situation is wasn't working. I don't evdn know if my problem is related to this one. I started with creating a zone. After that I applied it to a new L3 subinterface and tried to push the config to the firewall. The new L3 subinterface was created on the firewall but without the zone applied. After some desperate tries I created another zone in panorama, applied it to the interface and pushed the configurarion. This time the zone was also applied to the interface. The previous existing zone which still is configured in panorama was still not pushed to the firewall. Next try was that I again applied the first zone to the interface, deleted the second one and then renamed the initial zone to the name of the second zone. Again the zone was pushed to the firewall. After renaming the zone again to the inital name and another config push the zone disapeared again ... very strange behaviour ...</P>Sat, 15 Jun 2019 20:36:53 GMThttps://live.paloaltonetworks.com/t5/general-topics/panorama-pushed-zone-not-applied-to-subinterface/m-p/270277#M74706vsys_remo2019-06-15T20:36:53ZRe: Panorama pushed zone not applied to subinterfacehttps://live.paloaltonetworks.com/t5/general-topics/panorama-pushed-zone-not-applied-to-subinterface/m-p/270536#M74722
<P><LI-USER uid="16592"></LI-USER>&nbsp;Yes, this workaround worked for me, but not ideal and Palo is working on resolving this issue.</P><P>&nbsp;</P><P>I'm sure you know and have done these, but this is the step-by-step:</P><P>&nbsp;</P><P>1 - Make sure that at the local firewall level that the zone and interfaces are inherent to that of Panorama's configuration.&nbsp;</P><P>2 - Execute "Commit All Changes" on the panorama, then "Push" it to the local firewall.</P><P>3 - Refresh the page (F5) for the local firewall web interface.&nbsp;</P><P>&nbsp;</P><P>I'd say if this still doesn't work for you, then you may have a separate issue that support need to be involved.&nbsp; The good thing is that support already have (or know) simuilar issues and they can perform a debug to follow the logs on the firewall to your sepicific issue.</P><P>&nbsp;</P><P>Hope this helps some...&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P>Mon, 17 Jun 2019 12:42:21 GMThttps://live.paloaltonetworks.com/t5/general-topics/panorama-pushed-zone-not-applied-to-subinterface/m-p/270536#M74722Neil_Xu2019-06-17T12:42:21ZRe: Panorama pushed zone not applied to subinterfacehttps://live.paloaltonetworks.com/t5/general-topics/panorama-pushed-zone-not-applied-to-subinterface/m-p/290051#M77080
<P>Having same problem in Panorama 9.0.3-H3 and PA-5260 with 9.0.3-H3.&nbsp; Looks like doing the workaround (full commit and push) didn't work for me either</P>Wed, 25 Sep 2019 19:40:48 GMThttps://live.paloaltonetworks.com/t5/general-topics/panorama-pushed-zone-not-applied-to-subinterface/m-p/290051#M77080Lindsay_Mickey2019-09-25T19:40:48Z